1*8aaffd78SIgor Ostapenko.\" 2*8aaffd78SIgor Ostapenko.\" SPDX-License-Identifier: BSD-2-Clause 3*8aaffd78SIgor Ostapenko.\" 4*8aaffd78SIgor Ostapenko.\" Copyright (c) 2024 Igor Ostapenko <pm@igoro.pro> 5*8aaffd78SIgor Ostapenko.\" 6*8aaffd78SIgor Ostapenko.\" Redistribution and use in source and binary forms, with or without 7*8aaffd78SIgor Ostapenko.\" modification, are permitted provided that the following conditions 8*8aaffd78SIgor Ostapenko.\" are met: 9*8aaffd78SIgor Ostapenko.\" 1. Redistributions of source code must retain the above copyright 10*8aaffd78SIgor Ostapenko.\" notice, this list of conditions and the following disclaimer. 11*8aaffd78SIgor Ostapenko.\" 2. Redistributions in binary form must reproduce the above copyright 12*8aaffd78SIgor Ostapenko.\" notice, this list of conditions and the following disclaimer in the 13*8aaffd78SIgor Ostapenko.\" documentation and/or other materials provided with the distribution. 14*8aaffd78SIgor Ostapenko.\" 15*8aaffd78SIgor Ostapenko.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16*8aaffd78SIgor Ostapenko.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17*8aaffd78SIgor Ostapenko.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18*8aaffd78SIgor Ostapenko.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19*8aaffd78SIgor Ostapenko.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20*8aaffd78SIgor Ostapenko.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21*8aaffd78SIgor Ostapenko.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22*8aaffd78SIgor Ostapenko.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23*8aaffd78SIgor Ostapenko.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24*8aaffd78SIgor Ostapenko.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25*8aaffd78SIgor Ostapenko.\" SUCH DAMAGE. 26*8aaffd78SIgor Ostapenko.\" 27*8aaffd78SIgor Ostapenko.\" Note: The date here should be updated whenever a non-trivial 28*8aaffd78SIgor Ostapenko.\" change is made to the manual page. 29*8aaffd78SIgor Ostapenko.Dd August 2, 2024 30*8aaffd78SIgor Ostapenko.Dt DUMMYMBUF 4 31*8aaffd78SIgor Ostapenko.Os 32*8aaffd78SIgor Ostapenko.Sh NAME 33*8aaffd78SIgor Ostapenko.Nm dummymbuf 34*8aaffd78SIgor Ostapenko.Nd "mbuf alteration pfil hooks" 35*8aaffd78SIgor Ostapenko.Sh SYNOPSIS 36*8aaffd78SIgor OstapenkoTo compile the driver into the kernel, 37*8aaffd78SIgor Ostapenkoplace the following line in the 38*8aaffd78SIgor Ostapenkokernel configuration file: 39*8aaffd78SIgor Ostapenko.Bd -ragged -offset indent 40*8aaffd78SIgor Ostapenko.Cd "device dummymbuf" 41*8aaffd78SIgor Ostapenko.Ed 42*8aaffd78SIgor Ostapenko.Pp 43*8aaffd78SIgor OstapenkoAlternatively, to load the driver as a 44*8aaffd78SIgor Ostapenkomodule at boot time, place the following line in 45*8aaffd78SIgor Ostapenko.Xr loader.conf 5 : 46*8aaffd78SIgor Ostapenko.Bd -literal -offset indent 47*8aaffd78SIgor Ostapenkodummymbuf_load="YES" 48*8aaffd78SIgor Ostapenko.Ed 49*8aaffd78SIgor Ostapenko.Sh DESCRIPTION 50*8aaffd78SIgor OstapenkoThis module is intended to test networking code in the face of unusual mbuf 51*8aaffd78SIgor Ostapenkolayouts. 52*8aaffd78SIgor OstapenkoThe special 53*8aaffd78SIgor Ostapenko.Xr pfil 9 54*8aaffd78SIgor Ostapenkohooks are provided for mbuf alteration and can be listed with 55*8aaffd78SIgor Ostapenko.Xr pfilctl 8 56*8aaffd78SIgor Ostapenkoas follows: 57*8aaffd78SIgor Ostapenko.Bd -literal -offset indent 58*8aaffd78SIgor Ostapenko Hook Type 59*8aaffd78SIgor Ostapenko dummymbuf:ethernet Ethernet 60*8aaffd78SIgor Ostapenko dummymbuf:inet6 IPv6 61*8aaffd78SIgor Ostapenko dummymbuf:inet IPv4 62*8aaffd78SIgor Ostapenko.Ed 63*8aaffd78SIgor Ostapenko.Pp 64*8aaffd78SIgor OstapenkoTo activate a hook it must be linked to the respective 65*8aaffd78SIgor Ostapenko.Xr pfil 9 66*8aaffd78SIgor Ostapenkohead. 67*8aaffd78SIgor Ostapenko.Xr pfilctl 8 68*8aaffd78SIgor Ostapenkocan be used for the linking. 69*8aaffd78SIgor Ostapenko.Pp 70*8aaffd78SIgor OstapenkoEach time a hook is invoked it reads a single shared set of 71*8aaffd78SIgor Ostapenko.Sx RULES 72*8aaffd78SIgor Ostapenkofrom 73*8aaffd78SIgor Ostapenko.Va net.dummymbuf.rules 74*8aaffd78SIgor Ostapenkosysctl. 75*8aaffd78SIgor OstapenkoThe rules are evaluated sequentially and each matching rule performs the 76*8aaffd78SIgor Ostapenkospecified operation over the mbuf. 77*8aaffd78SIgor Ostapenko.Pp 78*8aaffd78SIgor OstapenkoAfter every successfully applied operation the 79*8aaffd78SIgor Ostapenko.Va net.dummymbuf.hits 80*8aaffd78SIgor Ostapenkosysctl counter is increased. 81*8aaffd78SIgor Ostapenko.Pp 82*8aaffd78SIgor OstapenkoA hook returns an altered mbuf for further processing, but it drops a packet 83*8aaffd78SIgor Ostapenkoif rules parsing or an operation fails. 84*8aaffd78SIgor OstapenkoAlso, the first mbuf of the original chain may be changed. 85*8aaffd78SIgor Ostapenko.Pp 86*8aaffd78SIgor OstapenkoThe module is 87*8aaffd78SIgor Ostapenko.Xr VNET 9 88*8aaffd78SIgor Ostapenkobased, hence every 89*8aaffd78SIgor Ostapenko.Xr jail 2 90*8aaffd78SIgor Ostapenkoprovides its own set of hooks and sysctl variables. 91*8aaffd78SIgor Ostapenko.Sh RULES 92*8aaffd78SIgor OstapenkoThe set of rules is a semicolon separated list. 93*8aaffd78SIgor OstapenkoAn empty string is treated as a parsing failure. 94*8aaffd78SIgor OstapenkoA rule conceptually has two parts, filter and operation, with the following 95*8aaffd78SIgor Ostapenkosyntax: 96*8aaffd78SIgor Ostapenko.Bd -literal -offset indent 97*8aaffd78SIgor Ostapenko{inet | inet6 | ethernet} {in | out} <ifname> <opname>[ <opargs>]; 98*8aaffd78SIgor Ostapenko.Ed 99*8aaffd78SIgor Ostapenko.Ss Filter 100*8aaffd78SIgor OstapenkoThe first word of a rule matches 101*8aaffd78SIgor Ostapenko.Xr pfil 9 102*8aaffd78SIgor Ostapenkotype. 103*8aaffd78SIgor OstapenkoThe second matches packet's direction, and the third matches the network 104*8aaffd78SIgor Ostapenkointerface a packet is coming from. 105*8aaffd78SIgor Ostapenko.Ss Operation 106*8aaffd78SIgor OstapenkoAn operation may have arguments separated from its name by space. 107*8aaffd78SIgor OstapenkoThe available operations are: 108*8aaffd78SIgor Ostapenko.Bl -tag -width indent 109*8aaffd78SIgor Ostapenko.It pull-head <number-of-bytes> 110*8aaffd78SIgor OstapenkoUnconditionally creates a brand new cluster-based mbuf and links it to be the 111*8aaffd78SIgor Ostapenkofirst mbuf of the original mbuf chain, with respective packet header moving. 112*8aaffd78SIgor OstapenkoAfter, the given number of bytes are pulled from the original mbuf chain. 113*8aaffd78SIgor Ostapenko.Pp 114*8aaffd78SIgor OstapenkoIf it is asked to pull 0 bytes then the first mbuf of the resulting chain will 115*8aaffd78SIgor Ostapenkobe left empty. 116*8aaffd78SIgor OstapenkoAsking to pull more than 117*8aaffd78SIgor Ostapenko.Dv MCLBYTES 118*8aaffd78SIgor Ostapenkois treated as an operation failure. 119*8aaffd78SIgor OstapenkoIf a mbuf chain has less data than asked then the entire packet is pulled with 120*8aaffd78SIgor Ostapenkotail mbuf(s) left empty. 121*8aaffd78SIgor Ostapenko.Pp 122*8aaffd78SIgor OstapenkoAs a result, only the layout of a mbuf chain is altered, its content logically 123*8aaffd78SIgor Ostapenkois left intact. 124*8aaffd78SIgor Ostapenko.El 125*8aaffd78SIgor Ostapenko.Sh SYSCTL VARIABLES 126*8aaffd78SIgor OstapenkoThe following variables are available: 127*8aaffd78SIgor Ostapenko.Bl -tag -width indent 128*8aaffd78SIgor Ostapenko.It Va net.dummymbuf.rules 129*8aaffd78SIgor OstapenkoA string representing a single set of 130*8aaffd78SIgor Ostapenko.Sx RULES 131*8aaffd78SIgor Ostapenkoshared among all 132*8aaffd78SIgor Ostapenko.Nm 133*8aaffd78SIgor Ostapenkohooks. 134*8aaffd78SIgor Ostapenko.It Va net.dummymbuf.hits 135*8aaffd78SIgor OstapenkoNumber of times a rule has been applied. 136*8aaffd78SIgor OstapenkoIt is reset to zero upon writing. 137*8aaffd78SIgor Ostapenko.El 138*8aaffd78SIgor Ostapenko.Sh EXAMPLES 139*8aaffd78SIgor OstapenkoAs it was intended, 140*8aaffd78SIgor Ostapenko.Nm 141*8aaffd78SIgor Ostapenkocan be found useful for firewall testing. 142*8aaffd78SIgor OstapenkoA mbuf chain could be altered before it hits a firewall to test that the latter 143*8aaffd78SIgor Ostapenkocan handle a case respectively. 144*8aaffd78SIgor OstapenkoThus, it is important to have correct sequence of hooks. 145*8aaffd78SIgor OstapenkoA test case should prepare and enable a firewall first to get its hooks linked. 146*8aaffd78SIgor OstapenkoAfter, the 147*8aaffd78SIgor Ostapenko.Xr pfilctl 8 148*8aaffd78SIgor Ostapenkoshould be used to link 149*8aaffd78SIgor Ostapenko.Nm 150*8aaffd78SIgor Ostapenkohook(s) to put them in front of a firewall. 151*8aaffd78SIgor Ostapenko.Pp 152*8aaffd78SIgor OstapenkoThe following links 153*8aaffd78SIgor Ostapenko.Va dummymbuf:inet6 154*8aaffd78SIgor Ostapenkohook for inbound and puts it in front of other hooks: 155*8aaffd78SIgor Ostapenko.Bd -literal -offset indent 156*8aaffd78SIgor Ostapenkopfilctl link -i dummymbuf:inet6 inet6 157*8aaffd78SIgor Ostapenko.Ed 158*8aaffd78SIgor Ostapenko.Pp 159*8aaffd78SIgor OstapenkoAnd this does the same for outbound: 160*8aaffd78SIgor Ostapenko.Bd -literal -offset indent 161*8aaffd78SIgor Ostapenkopfilctl link -o -a dummymbuf:inet6 inet6 162*8aaffd78SIgor Ostapenko.Ed 163*8aaffd78SIgor Ostapenko.Pp 164*8aaffd78SIgor OstapenkoFor instance, we want to test a scenario in which the very first mbuf in a 165*8aaffd78SIgor Ostapenkochain has zero m_len, to verify that a firewall can correctly read the 166*8aaffd78SIgor Ostapenkopacket data despite that. 167*8aaffd78SIgor OstapenkoThe following set of rules does it for inbound and outbound: 168*8aaffd78SIgor Ostapenko.Bd -literal -offset indent 169*8aaffd78SIgor Ostapenkosysctl net.dummymbuf.rules="inet6 in em0 pull-head 0; inet6 out em0 pull-head 0;" 170*8aaffd78SIgor Ostapenko.Ed 171*8aaffd78SIgor Ostapenko.Pp 172*8aaffd78SIgor OstapenkoIt is encouraged to verify 173*8aaffd78SIgor Ostapenko.Va net.dummymbuf.hits 174*8aaffd78SIgor Ostapenkosysctl counter along with other test assertions to make sure that 175*8aaffd78SIgor Ostapenko.Nm 176*8aaffd78SIgor Ostapenkoreally does its work and there is no false positive due to misconfiguration. 177*8aaffd78SIgor OstapenkoIt is a good idea to reset it before the action: 178*8aaffd78SIgor Ostapenko.Bd -literal -offset indent 179*8aaffd78SIgor Ostapenkosysctl net.dummymbuf.hits=0 180*8aaffd78SIgor Ostapenko.Ed 181*8aaffd78SIgor Ostapenko.Pp 182*8aaffd78SIgor OstapenkoIt is equally important to cleanup the things after the test case: 183*8aaffd78SIgor Ostapenko.Bd -literal -offset indent 184*8aaffd78SIgor Ostapenkopfilctl unlink -i dummymbuf:inet6 inet6 185*8aaffd78SIgor Ostapenkopfilctl unlink -o dummymbuf:inet6 inet6 186*8aaffd78SIgor Ostapenkosysctl net.dummymbuf.rules="" 187*8aaffd78SIgor Ostapenko.Ed 188*8aaffd78SIgor Ostapenko.Pp 189*8aaffd78SIgor OstapenkoIf a test case operates within a temporary vnet then explicit cleanup can be 190*8aaffd78SIgor Ostapenkoomitted, the 191*8aaffd78SIgor Ostapenko.Nm 192*8aaffd78SIgor Ostapenkofacilities will vanish along with its vnet instance. 193*8aaffd78SIgor Ostapenko.Sh DIAGNOSTICS 194*8aaffd78SIgor Ostapenko.Bl -diag 195*8aaffd78SIgor Ostapenko.It "dummymbuf: <filter match>: rule parsing failed: <the rule in question>" 196*8aaffd78SIgor OstapenkoIf everything looks fine then extra spaces removal may help due to the parser 197*8aaffd78SIgor Ostapenkois kept very simple. 198*8aaffd78SIgor Ostapenko.It "dummymbuf: <filter match>: mbuf operation failed: <the rule in question>" 199*8aaffd78SIgor OstapenkoIncorrect operation argument has been found, mbuf allocation has failed, etc. 200*8aaffd78SIgor Ostapenko.El 201*8aaffd78SIgor Ostapenko.Sh SEE ALSO 202*8aaffd78SIgor Ostapenko.Xr jail 2 , 203*8aaffd78SIgor Ostapenko.Xr pfilctl 8 , 204*8aaffd78SIgor Ostapenko.Xr mbuf 9 , 205*8aaffd78SIgor Ostapenko.Xr pfil 9 , 206*8aaffd78SIgor Ostapenko.Xr VNET 9 207*8aaffd78SIgor Ostapenko.Sh AUTHORS 208*8aaffd78SIgor OstapenkoThe module and this manual page were written by 209*8aaffd78SIgor Ostapenko.An Igor Ostapenko Aq Mt pm@igoro.pro . 210